Enterprise customers might not need custom hardware to support all the sites on their VPNs (virtual private networks), especially if those sites have dedicated Internet connections that are T-1 or smaller.

Certain PC-based VPN gateways can easily fill a 1.5M bit/sec Internet link, according to recent studies by The Tolly Group, a technology consulting and testing firm. That means that it might not be necessary to buy products that are designed single-purpose boxes that act as the gateway between VPN multiple PCs at individual sites and their connections to the Internet.

While some purpose-built hardware, such as appliances made by WatchGuard, SonicWALL and NetScreen, might perform better than general-purpose hardware, some of that performance is overkill for certain VPN configurations, says Kevin Tolly, president of The Tolly Group.

For instance, a VPN built around DSL connections that are slower than 1.5M bit/sec or full T-1 lines don't need a faster VPN gateway, he says. "The fastest you can go on T-1 is T-1, so if a software box can go five times T-1, and a hardware box can go 10 times T-1, it's really irrelevant. Once you fill the T-1, you're done," Tolly says.

According to tests commissioned by VPN vendor OpenReach and performed by The Tolly Group, its software could establish tunnels and pass Triple-DES encrypted data at 8M bit/sec when it was handling small, 64-byte packets. The hardware platform used was a PC with a 500MHz processor.

Just routing packets this small taxes processors even without encryption because more of the packets pass through per second. Performance was faster for larger packets, just shy of 1G bit/sec (see graphic). Fewer of these large packets pass through the device per second, requiring less route processing.

OpenReach leases its Linux-based gateway software to customers and manages their VPNs for a monthly fee. Customers have to supply their own PC hardware and Internet connections.

While the performance of the VPN-specific functions are adequate for T-1 connections, users might want more features than they can get on a PC platform, says Henry Goldberg, an analyst for Cahners In-Stat Group. "You have to look at a product from all its different features as well as cost," he says.

In the case of OpenReach, users get a packet-filtering firewall. A user could buy a SonicWALL small office/home office (SOHO) VPN purpose-built appliance and get a full stateful-inspection firewall plus antivirus software along with it for about $600. Or a customer could buy a WatchGuard SOHO for about the same price, get a firewall and a year's worth of service for free.

Tolly says the purpose-built vs. general-purpose hardware issue revives a debate that arose over purpose vs. general about 10 years ago in relation to routers and bridges. The question was whether general-purpose hardware was fast enough.

This story, "VPN hardware: Does IT need specialty solutions?" was originally published by
Network World.